CVSS: 5.9EPSS: 0%CPEs: 151EXPL: 0CVE-2022-42132
https://notcve.org/view.php?id=CVE-2022-42132
15 Nov 2022 — The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.0 fix pack 102 and earlier, 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before update 4, and DXP 7.4 GA includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle attackers or attackers with access to the request logs to see the LDAP credential. La funcionalidad Probar usuarios de LDAP en Liferay Portal 7.0.0 a 7.4.3.4, y Liferay DXP 7.0 fixpack 102... • http://liferay.com • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.4EPSS: 0%CPEs: 46EXPL: 0CVE-2022-42110
https://notcve.org/view.php?id=CVE-2022-42110
14 Nov 2022 — A Cross-site scripting (XSS) vulnerability in the Announcements module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML. Una vulnerabilidad de Cross-Site Scripring (XSS) en el módulo Announcements en Liferay Portal 7.1.0 a 7.4.2 y Liferay DXP 7.1 antes del fix pack 27, 7.2 antes del fix pack 17 y 7.3 antes del service pack 3 permite a atacantes remotos inyectar s... • https://issues.liferay.com/browse/LPE-17403 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 52EXPL: 0CVE-2022-42112
https://notcve.org/view.php?id=CVE-2022-42112
18 Oct 2022 — A Cross-site scripting (XSS) vulnerability in the Portal Search module's Sort widget in Liferay Portal 7.2.0 through 7.4.3.24, and Liferay DXP 7.2 before fix pack 19, 7.3 before update 5, and DXP 7.4 before update 25 allows remote attackers to inject arbitrary web script or HTML via a crafted payload. Una vulnerabilidad de tipo Cross-site scripting (XSS) en el widget Sort del módulo Portal Search en Liferay Portal versiones 7.2.0 hasta 7.4.3.24, y Liferay DXP 7.2 versiones anteriores a fix pack 19, 7.3 ante... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 26EXPL: 0CVE-2022-42116
https://notcve.org/view.php?id=CVE-2022-42116
18 Oct 2022 — A Cross-site scripting (XSS) vulnerability in the Frontend Editor module's integration with CKEditor in Liferay Portal 7.3.2 through 7.4.3.14, and Liferay DXP 7.3 before update 6, and 7.4 before update 15 allows remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter. Una vulnerabilidad de Cross-site scripting (XSS) en la integración del módulo Frontend Editor con CKEditor en Liferay Portal versiones 7.3.2 hasta 7.4.3.14, y Liferay DXP versiones 7.3 anteriores a ... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 29EXPL: 0CVE-2022-42117
https://notcve.org/view.php?id=CVE-2022-42117
18 Oct 2022 — A Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.3.2 through 7.4.3.16, and Liferay DXP 7.3 before update 6, and 7.4 before update 17 allows remote attackers to inject arbitrary web script or HTML. Una vulnerabilidad de tipo Cross-site scripting (XSS) en el módulo Frontend Taglib en Liferay Portal versiones 7.3.2 hasta 7.4.3.16, y Liferay DXP versiones 7.3 anteriores a update 6, y versiones 7.4 anteriores a 17, permite a atacantes remotos inyectar script web o HTML... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 13EXPL: 1CVE-2022-38902
https://notcve.org/view.php?id=CVE-2022-38902
13 Oct 2022 — A Cross-site scripting (XSS) vulnerability in the Blog module - add new topic functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the name field of newly created topic. Una vulnerabilidad de tipo Cross-site scripting (XSS) en la funcionalidad Blog module - add new topic en Liferay Digital Experience Platform 7.3.10 SP3, permite a atacantes remotos inyectar scripts JS o HTML arbitrarios en el campo del nombre del tema recién cread... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41414
https://notcve.org/view.php?id=CVE-2022-41414
07 Oct 2022 — An insecure default in the component auth.login.prompt.enabled of Liferay Portal v7.0.0 through v7.4.2 allows attackers to enumerate usernames, site names, and pages. Un fallo no seguro en el componente auth.login.prompt.enabled de Liferay Portal versiones v7.0.0 hasta v7.4.2, permite a atacantes enumerar nombres de usuarios, nombres de sitios y páginas • https://portal.liferay.dev/learn/security/known-vulnerabilities • CWE-276: Incorrect Default Permissions •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2022-28980
https://notcve.org/view.php?id=CVE-2022-28980
22 Sep 2022 — Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal v7.4.3.4 and Liferay DXP v7.4 GA allows attackers to execute arbitrary web scripts or HTML via parameters with the filter_ prefix. Múltiples vulnerabilidades de tipo cross-site scripting (XSS) en Liferay Portal versión v7.4.3.4 y Liferay DXP versión v7.4 GA, permiten a atacantes ejecutar scripts web o HTML arbitrarios por medio de parámetros con el prefijo filter_ • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 37EXPL: 0CVE-2022-28977
https://notcve.org/view.php?id=CVE-2022-28977
22 Sep 2022 — HtmlUtil.escapeRedirect in Liferay Portal 7.3.1 through 7.4.2, and Liferay DXP 7.0 fix pack 91 through 101, 7.1 fix pack 17 through 25, 7.2 fix pack 5 through 14, and 7.3 before service pack 3 can be circumvented by using multiple forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, and (3) others parameters that rely on HtmlUtil.escapeRedirect. El archivo HtmlUtil.escapeRedirect en Liferay Portal versiones ... • http://liferay.com • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.4EPSS: 0%CPEs: 5EXPL: 0CVE-2022-28982
https://notcve.org/view.php?id=CVE-2022-28982
21 Sep 2022 — A cross-site scripting (XSS) vulnerability in Liferay Portal v7.3.3 through v7.4.2 and Liferay DXP v7.3 before service pack 3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name of a tag. Una vulnerabilidad de tipo cross-site scripting (XSS) en Liferay Portal versiones v7.3.3 hasta v7.4.2 y Liferay DXP versiones v7.3 anteriores a service pack 3 permite a atacantes ejecutar scripts web o HTML arbitrarios por medio de una carga útil diseñada inyectada en el n... • http://liferay.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •